Security teams face a constant tension: run the advanced analytics you need to stay ahead of threats, or hold back to keep costs predictable. Until now, Microsoft Sentinel let you set alerts to get notified when data lake usage approached a threshold — useful for awareness, but not enough to prevent budget overruns.
Today, we're excited to announce threshold enforcement for KQL queries and notebooks in the Microsoft Sentinel data lake. With this release, you can go beyond notifications and automatically block new queries and jobs when your configured usage limits are exceeded. Your analysts keep working confidently, and your budgets stay protected.
What's new
Previously, the Configure Policies experience in Microsoft Sentinel let you set threshold-based alerts for data lake usage. You'd receive an email notification when consumption approached a limit — but nothing stopped usage from continuing past that point.
Now, you can enable enforcement on those same policies. When enforcement is turned on and a threshold is exceeded, Microsoft Sentinel blocks new queries, jobs, and notebook sessions with a clear "Limit exceeded" error. No more surprise cost spikes from runaway queries or analysts who mistakenly run heavy workloads against data lake data.
Enforcement is supported for two data lake capability categories:
- Data Lake Query — interactive KQL queries and KQL jobs (scheduled and ad hoc)
- Advanced Data Insights — notebook runs and notebook jobs
How it works
Consistent controls across KQL queries and notebooks
Cost controls are enforced consistently across Sentinel data lake workloads, regardless of how analysts access the data. The same policy applies whether someone is running a quick investigation or executing a long-running job.
Controls apply to:
- Interactive KQL queries in the data lake explorer in the Defender portal
- KQL jobs, including scheduled and ad-hoc jobs
- Notebook queries run through the Microsoft Sentinel VS Code extension
- Notebook jobs running as background or scheduled workloads
This ensures advanced analytics remain powerful — but predictable and governed.
Clear enforcement without disruption
Enforcement is applied at execution and validation boundaries — not retroactively. This means:
- Queries or jobs already running are not interrupted. In-flight work completes normally.
- New queries, jobs, or notebook sessions are blocked once limits are exceeded.
- Failures occur early (for example, during validation), avoiding wasted compute.
From an analyst's perspective, enforcement is explicit and consistent. Clear messaging appears in query editors, job validation responses, and notebooks when limits are reached — so your team always understands what happened and what to do next.
How to set it up
Prerequisites
To configure enforcement policies, ensure you have the necessary permissions that are outlined here: Manage and monitor costs for Microsoft Sentinel | Microsoft Learn.
Where to access
Navigate to Microsoft Sentinel > Cost management > Configure Policies in the Microsoft Defender portal (https://security.microsoft.com).
Step-by-step configuration
- In Microsoft Sentinel > Cost management, select Configure Policies.
- Select the policy you want to edit (Data Lake Query or Advanced Data Insights).
- Enter the total threshold value for the policy.
- Enter an alert percentage to receive email notifications before the threshold is reached.
- Enable the Enforcement toggle to block usage after the threshold is exceeded.
- Review your settings and select Submit.
Once enforcement is active, administrators receive advance notifications as usage approaches the threshold. If circumstances change — for example, during an active breach — you can adjust the threshold, disable enforcement temporarily, or modify the policy to give your SOC the room it needs to respond without being blocked.
Real-world scenario: Preventing unexpected cost spikes
Consider a large SOC that ingests roughly 6 TB of data per day, with 1 TB going to the Sentinel Analytics tier and the remaining 5 TB going to the Sentinel data lake. Analysts are proactively hunting for threats, performing investigations, and running automation. Tier 3 analysts are also running Jupyter Notebooks against the Sentinel data lake to build graphs, execute queries, and automate incident investigation and remediation with code.
Last month, the SOC experienced a cost spike after a newly hired analyst ran large, frequent queries against data lake data — mistakenly thinking it was Analytics tier. The SOC manager needs to prevent this from happening again.
With enforcement now available, the SOC manager can navigate to Microsoft Sentinel > Cost management > Configure Policies in the Defender portal and set up two policies:
A Data Lake Query policy to cap data processing for KQL queries
An Advanced Data Insights policy to cap notebook compute consumption
With these policies in place, the SOC manager gets notified in advance when consumption approaches the threshold while having confidence that the thresholds set will be enforced to prevent unexpected consumption and cost. Analysts can continue their day-to-day work without worrying about accidental overages. Should a breach scenario demand more capacity, the SOC manager can quickly adjust or temporarily disable the policies — keeping the team unblocked while maintaining overall budget governance. Outside of a breach scenario, should the same SOC analyst generate large amounts of data scanned, the threshold will take action and prevent queries from being performed.
Learn more
With enforceable KQL and notebook guardrails, Microsoft Sentinel data lake helps security teams scale advanced analytics with confidence. You can control usage in production and keep investigations moving — without tradeoffs between visibility, analytics, and budget.
To get started, visit the documentation: Manage and monitor costs for Microsoft Sentinel | Microsoft Learn
We'd love to hear your feedback. Share your thoughts in the comments below or reach out through your usual Microsoft support channels.
Microsoft